cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
web1b
Level 7
Report Inappropriate Content
Message 1 of 19

MVISION ePO For Servers Without Internet Access?

If we want to manage Windows servers using MVISION ePO, will every server need to be provided with internet access so they can reach the mvision.mcafee.com network addresses or is there any way to use some kind of "super agent" or "relay agent" or "remote agent handler" so most servers can communicate out to report status and receive incoming updates without needing access out of the internal network?

We want to not give these servers unnecessary internet access for security reasons as well as save the bandwidth used by each server individually downloading the same content from the cloud.

18 Replies
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 19

Re: MVISION ePO For Servers Without Internet Access?

With MVISION, you can't set up an agent handler, so relay server would be your other option.  See KB91096 for port/traffic requirements.  A relay server would not be for updates, however.  But you could make that relay server a superagent so it is also a distributed repository.  Don't use replication, but use lazy caching instead.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

web1b
Level 7
Report Inappropriate Content
Message 3 of 19

Re: MVISION ePO For Servers Without Internet Access?

I don’t  quite understand your reply.

You said the relay server can’t be used for updates.  ENS definition updates?

 So, are you saying every server configured to use MVISION ePO must still directly access the MVISION URLs through the internet to get updates even if a relay server is used?  If so, what is gained by using the relay server?

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 19

Re: MVISION ePO For Servers Without Internet Access?

A relay server is for communication only, not repository requests.  You can make that relay server a superagent repository also, so the air-gapped systems can use that also for updates (yes, ens definitions and deployments).  So by using the relay server also as a repository, your servers only need access to the relay server and your relay server needs access to epo.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

web1b
Level 7
Report Inappropriate Content
Message 5 of 19

Re: MVISION ePO For Servers Without Internet Access?

Can you post a link with instructions on how to configure a relay server to create a local repository for air gapped systems that works with MVISION ePO’s cloud-based content?

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 19

Re: MVISION ePO For Servers Without Internet Access?

This is for enabling relay server.  You would want to specify the IP of the relay server so clients wouldn't need discovery, as that would need a relay server on each subnet.  Specifying the server doesn't use discovery.

https://docs.mcafee.com/bundle/agent-5.6.x-product-guide/page/GUID-7B49581D-CF7B-4FE7-B307-BC48D1492...

As for superagent, I was wrong, that can't be used in mvision.  However, there is another option.  In this section, you can set up your relay server to also be a peer-to-peer server for updates.  On the relay server, enable p2p and p2p serving - https://docs.mcafee.com/bundle/agent-5.6.x-product-guide/page/GUID-CCA2291B-1114-4999-BB4C-D6143703A...

On the clients (your servers in air-gapped environment), enable peer-to-peer communication.  P2P is for updates, relay is for communication.  

The other problem you will run into is getting the agent installed in the first place.  MVISION uses the agent smartinstaller and that requires access to epo.  So you might be better off installing a separate on prem epo server in that air-gapped environment where that epo server has access to the mcafee site for updates, or from a mirror site that can be set up on any other system that has internet access.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

web1b
Level 7
Report Inappropriate Content
Message 7 of 19

Re: MVISION ePO For Servers Without Internet Access?

Can we install the MVISION agent on the air-gapped servers manually or through internal software deployment tools instead of using an internal ePO server?

If we use an internal ePO server to push the MVISION agent, won't we need additional McAfee licensing beyond what's required for MVISION ePO?

 

If we use the relay agent for definition updates, will that also work for updating the agent and ENS to future versions and applying agent and ENS hotfixes?

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 19

Re: MVISION ePO For Servers Without Internet Access?

Can we install the MVISION agent on the air-gapped servers manually or through internal software deployment tools instead of using an internal ePO server?  No, because you can't get the framepkg file.  Only smartinstaller option is currently available and that requires access to the epo mvision server.

If we use an internal ePO server to push the MVISION agent, won't we need additional McAfee licensing beyond what's required for MVISION ePO?  You can't push any mvision agent from anywhere - see above, it is only smartinstall option.  You would have to set up an on premise epo server in your air gapped environment to manage those servers and your grant number should give you licensing for epo on prem also - you would need to verify by checking the download site.  I don't know what your entitlements are, but typically most grants include epo on prem.

If we use the relay agent for definition updates, will that also work for updating the agent and ENS to future versions and applying agent and ENS hotfixes?  Relay servers do not handle repository requests.  You would need to enable peer to peer serving on the relay server for any repository requests and peer to peer communication on the clients, and that includes deployment packages.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

web1b
Level 7
Report Inappropriate Content
Message 9 of 19

Re: MVISION ePO For Servers Without Internet Access?

Why can't the smartinstaller be downloaded as an installation file locally and then pushed out using internal software deployment tools or manually installed on multiple servers?

I thought MVISION ePO uses the same McAfee agent as on prem ePO, but configured to communicate with MVISION ePO instead of an on prem ePO.

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 19

Re: MVISION ePO For Servers Without Internet Access?

It does use the same agent.  However, the install method is different.  In mvision, there is no option to download the framepkg.exe as a file, like with on-prem.  The only option to get an agent installed with mvision is to use the smartinstaller, which is url based that the client must access to pull the necessary files.  A PER is needed to change that behavior - kb60021.  We have no other option at the moment for that.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community